d7daedbc93cf7fa57d5998d6645d1574bb8eced8a17c67ec2ebc06dea6b97934

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
Size

82KB
MD5

f03a671ec7616e7870b64684c283ea59
SHA1

f0231397442192ea6d0574a7fd5d10fea7d41f7f
SHA256

d7daedbc93cf7fa57d5998d6645d1574bb8eced8a17c67ec2ebc06dea6b97934
SHA512

787e31471aa5a039eaa9f2dfa9c4ddf3d88e0a269e9237417de21709e51f943c676b9426082cb2084c1a8c10c8528f9f69b8d9b71b681162834911ca3c209dbc
SSDEEP

768:uI/xZk/P9tVTseoQJcWjbnqC03T/rE4ndf/zJ4Pi3Jno3tiFCVm3PDWCGKuTsMC5:zsuQJc7vZ1bZW7VnCaTsL

Score

9^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 2 IoCs

pid	Process
2024	wmimgmt.exe
2600	avp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	wmimgmt.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3468	ARP.EXE

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
564	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ROUTE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmimgmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
4184	NETSTAT.EXE

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
4712	net.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3824	ipconfig.exe
4184	NETSTAT.EXE
4564	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1452	systeminfo.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeBackupPrivilege	4476	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
Token: SeBackupPrivilege	4476	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
Token: SeRestorePrivilege	4476	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
Token: SeBackupPrivilege	4476	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
Token: SeRestorePrivilege	4476	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
Token: SeBackupPrivilege	4476	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
Token: SeRestorePrivilege	4476	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
Token: SeDebugPrivilege	564	tasklist.exe
Token: SeDebugPrivilege	4184	NETSTAT.EXE
Token: SeBackupPrivilege	2024	wmimgmt.exe
Token: SeBackupPrivilege	2024	wmimgmt.exe
Token: SeBackupPrivilege	2024	wmimgmt.exe
Token: SeBackupPrivilege	2024	wmimgmt.exe
Token: SeBackupPrivilege	2024	wmimgmt.exe
Token: SeBackupPrivilege	2024	wmimgmt.exe
Token: SeRestorePrivilege	2024	wmimgmt.exe
Token: SeBackupPrivilege	2024	wmimgmt.exe
Token: SeBackupPrivilege	2024	wmimgmt.exe
Token: SeBackupPrivilege	2024	wmimgmt.exe
Token: SeBackupPrivilege	2024	wmimgmt.exe
Token: SeBackupPrivilege	2024	wmimgmt.exe
Token: SeBackupPrivilege	2024	wmimgmt.exe
Token: SeBackupPrivilege	2024	wmimgmt.exe
Token: SeBackupPrivilege	2024	wmimgmt.exe
Token: SeBackupPrivilege	2024	wmimgmt.exe
Token: SeBackupPrivilege	2024	wmimgmt.exe
Token: SeBackupPrivilege	2024	wmimgmt.exe
Token: SeBackupPrivilege	2024	wmimgmt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 2024	4476	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe	82
PID 4476 wrote to memory of 2024	4476	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe	82
PID 4476 wrote to memory of 2024	4476	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe	82
PID 2024 wrote to memory of 2600	2024	wmimgmt.exe	85
PID 2024 wrote to memory of 2600	2024	wmimgmt.exe	85
PID 2024 wrote to memory of 2600	2024	wmimgmt.exe	85
PID 2024 wrote to memory of 668	2024	wmimgmt.exe	86
PID 2024 wrote to memory of 668	2024	wmimgmt.exe	86
PID 2024 wrote to memory of 668	2024	wmimgmt.exe	86
PID 668 wrote to memory of 952	668	cmd.exe	88
PID 668 wrote to memory of 952	668	cmd.exe	88
PID 668 wrote to memory of 952	668	cmd.exe	88
PID 668 wrote to memory of 4660	668	cmd.exe	89
PID 668 wrote to memory of 4660	668	cmd.exe	89
PID 668 wrote to memory of 4660	668	cmd.exe	89
PID 668 wrote to memory of 3000	668	cmd.exe	90
PID 668 wrote to memory of 3000	668	cmd.exe	90
PID 668 wrote to memory of 3000	668	cmd.exe	90
PID 3000 wrote to memory of 4348	3000	net.exe	91
PID 3000 wrote to memory of 4348	3000	net.exe	91
PID 3000 wrote to memory of 4348	3000	net.exe	91
PID 668 wrote to memory of 1732	668	cmd.exe	92
PID 668 wrote to memory of 1732	668	cmd.exe	92
PID 668 wrote to memory of 1732	668	cmd.exe	92
PID 1732 wrote to memory of 3924	1732	net.exe	93
PID 1732 wrote to memory of 3924	1732	net.exe	93
PID 1732 wrote to memory of 3924	1732	net.exe	93
PID 668 wrote to memory of 564	668	cmd.exe	94
PID 668 wrote to memory of 564	668	cmd.exe	94
PID 668 wrote to memory of 564	668	cmd.exe	94
PID 668 wrote to memory of 1452	668	cmd.exe	97
PID 668 wrote to memory of 1452	668	cmd.exe	97
PID 668 wrote to memory of 1452	668	cmd.exe	97
PID 668 wrote to memory of 2392	668	cmd.exe	100
PID 668 wrote to memory of 2392	668	cmd.exe	100
PID 668 wrote to memory of 2392	668	cmd.exe	100
PID 668 wrote to memory of 4764	668	cmd.exe	101
PID 668 wrote to memory of 4764	668	cmd.exe	101
PID 668 wrote to memory of 4764	668	cmd.exe	101
PID 668 wrote to memory of 888	668	cmd.exe	102
PID 668 wrote to memory of 888	668	cmd.exe	102
PID 668 wrote to memory of 888	668	cmd.exe	102
PID 668 wrote to memory of 2240	668	cmd.exe	103
PID 668 wrote to memory of 2240	668	cmd.exe	103
PID 668 wrote to memory of 2240	668	cmd.exe	103
PID 668 wrote to memory of 4560	668	cmd.exe	104
PID 668 wrote to memory of 4560	668	cmd.exe	104
PID 668 wrote to memory of 4560	668	cmd.exe	104
PID 668 wrote to memory of 4984	668	cmd.exe	105
PID 668 wrote to memory of 4984	668	cmd.exe	105
PID 668 wrote to memory of 4984	668	cmd.exe	105
PID 668 wrote to memory of 4684	668	cmd.exe	106
PID 668 wrote to memory of 4684	668	cmd.exe	106
PID 668 wrote to memory of 4684	668	cmd.exe	106
PID 668 wrote to memory of 3932	668	cmd.exe	107
PID 668 wrote to memory of 3932	668	cmd.exe	107
PID 668 wrote to memory of 3932	668	cmd.exe	107
PID 668 wrote to memory of 4584	668	cmd.exe	108
PID 668 wrote to memory of 4584	668	cmd.exe	108
PID 668 wrote to memory of 4584	668	cmd.exe	108
PID 668 wrote to memory of 3824	668	cmd.exe	109
PID 668 wrote to memory of 3824	668	cmd.exe	109
PID 668 wrote to memory of 3824	668	cmd.exe	109
PID 668 wrote to memory of 4184	668	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476
- C:\ProgramData\Application Data\wmimgmt.exe
  "C:\ProgramData\Application Data\wmimgmt.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\avp.exe
    C:\Users\Admin\AppData\Local\Temp\avp.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:952
  - - C:\Windows\SysWOW64\chcp.com
      chcp
      4⤵
      System Location Discovery: System Language Discovery
      PID:4660
  - - C:\Windows\SysWOW64\net.exe
      net user
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3000
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4348
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1732
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3924
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:564
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      System Location Discovery: System Language Discovery
      Gathers system information
      PID:1452
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2392
  - - C:\Windows\SysWOW64\find.exe
      find "REG_"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4764
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office
      4⤵
      System Location Discovery: System Language Discovery
      PID:888
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:2240
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:4560
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:4984
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:4684
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:3932
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:4584
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:3824
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -ano
      4⤵
      System Location Discovery: System Language Discovery
      System Network Connections Discovery
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:4184
  - - C:\Windows\SysWOW64\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      System Location Discovery: System Language Discovery
      PID:3468
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -r
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:4564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5012
      - C:\Windows\SysWOW64\ROUTE.EXE
        
        C:\Windows\system32\route.exe print
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3524
  - - C:\Windows\SysWOW64\net.exe
      net start
      4⤵
      System Location Discovery: System Language Discovery
      PID:2340
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4036
  - - C:\Windows\SysWOW64\net.exe
      net use
      4⤵
      System Location Discovery: System Language Discovery
      PID:4464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo n"
      4⤵
      System Location Discovery: System Language Discovery
      PID:884
  - - C:\Windows\SysWOW64\net.exe
      net share
      4⤵
      System Location Discovery: System Language Discovery
      PID:4052
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1476
  - - C:\Windows\SysWOW64\net.exe
      net view /domain
      4⤵
      System Location Discovery: System Language Discovery
      Discovers systems in the same network
      PID:4712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2948
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "------"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1936
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "domain"
      4⤵
      System Location Discovery: System Language Discovery
      PID:408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2272
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "¬A╛╣"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2052
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "░⌡ªµª¿"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3696
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "├ⁿ┴ε"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4140
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "completed successfully"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wmimgmt.exe

Filesize
82KB

MD5
f03a671ec7616e7870b64684c283ea59

SHA1
f0231397442192ea6d0574a7fd5d10fea7d41f7f

SHA256
d7daedbc93cf7fa57d5998d6645d1574bb8eced8a17c67ec2ebc06dea6b97934

SHA512
787e31471aa5a039eaa9f2dfa9c4ddf3d88e0a269e9237417de21709e51f943c676b9426082cb2084c1a8c10c8528f9f69b8d9b71b681162834911ca3c209dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
43B

MD5
c46903099c41ad82f3a134a1d9d62223

SHA1
076aa7b654665188ceb5c2d7fcbd0d22b948163b

SHA256
b84f9dde7feafe234e2daed5c4e0078404c1a08efabd5efd49b26774a8bd3ee6

SHA512
dd01122df330c8526cff225ac4ab979079fc0c86730a43bba45a2765104e57d915c339fe3caa8230351ec081dc7b34930199e1285a8eafaeaa0eca0a8d71bc79

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
11KB

MD5
75d8cd983d5f036f112b82e3ff96d605

SHA1
eef3de534cb4bf98e0761d475846fb6fd7188d04

SHA256
cb5c6c06cbdbded4b90259fa1245af50221c2066d51a9e70fab09d06fa1a1da3

SHA512
a500d990425c7924163b62d7e31dbb9745e369eeb08952459aa04c785c09887823c00fc8078a7182fa0df91525eebe0be895a17825857d7628dc284f78cf7f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
21KB

MD5
4809f5405222938287aed20b7628de42

SHA1
e3928968d448647434a64c9335312b4cd74d4814

SHA256
823c536f5154feb4fe41021f1c0a247708662447403416e6df9f83ab952ebe8f

SHA512
0b831aa2411e4c57dd79556d0d7be926ab15570332a2038aeeff21fde86a0dd81e4a17ef7bc95b4095e0c4bdfd9a4cd433a37dd469798f6f8ff68886a5148e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
37.5MB

MD5
10545d331032c90a975cfd6a46138202

SHA1
cefaa6a3814b2a8bc97bf230f078ea4bc6b5c4bf

SHA256
5f092143299899cdd3c2836e52462273cf908cfda57742026c43a29f776c3d65

SHA512
a7175943fa5a635066920c4508b91f6b2c0abf7b759f63b878b3aad2494968317afea9487281c6dda6ad70cd1523c604043554b30ad6bf10740bc14d84a3e029

Download Submit
C:\Users\Admin\AppData\Local\Temp\avp.exe

Filesize
24KB

MD5
d0f4e76ba18f7417cd633298335d7173

SHA1
95779eda281afeb2126c801b7eca3f16875bbeec

SHA256
8bf863a2acd05ee6587f2660e822d38839a09f8e4bd447146edad8c124f8f648

SHA512
d4a2f3ab1897594f2ace4a78b029629a62aa93b473443321ad6359c1c3b0c6e8b77ab3ceb01242d48e619c8243bab46cf896f038eb10a72ebf676f99d73b1bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\drivers.p

Filesize
15B

MD5
4ff8e80638f36abd8fb131c19425317b

SHA1
358665afaf5f88dfebcdb7c56e963693c520c136

SHA256
6b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626

SHA512
d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghi.bat

Filesize
3KB

MD5
b98e8fcde49a1caee295a6bd3d264e56

SHA1
71c82391a8617212ad48c8d79755e71be2e20be9

SHA256
e369c7e2e7ac0280882693038b213be0309c910df62f35a5159a125ecd18fb9a

SHA512
fb5fa414449e7dd4ce1fedcb92487f59ed18d7fbd3146eb59ec8f7256d68551adebb7d35e859fe7b6bce5a0b042b0de1e9ee56369a8686976dd121b44ff46742

Download Submit
memory/2024-34-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4476-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4476-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads